{{ message }}
Tags: ConductorOne/baton-sql
Tags
docs(bsql): document supported date/time formats + cover them with te… …sts (#137) Extend TestParseTime with 16 new table-driven cases that exercise every format the connector accepts: RFC3339/Nano with offsets, MySQL/PostgreSQL space-separated timestamps at ms/µs/ns precision, ISO8601 with fractional seconds and timezone offsets, European and US slash notation (datetime and date-only), Oracle NLS_DATE_FORMAT variants (uppercase/mixed-case/short-year abbreviations, long and full month names, date-only), DB2 TIMESTAMP, and numeric Unix epoch seconds and milliseconds. Add docs/datetime-formats.md, an end-user config reference that documents exactly the tested set: grouped by DB family, one concrete example per format, the epoch range guards, the US/EU slash ambiguity note, the best-effort skip-on-failure behaviour, and an escape hatch (cast to ISO 8601 in the query) for unlisted formats. Co-authored-by: Paul Querna <paul.querna@conductorone.com> Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
CXH-1584: Surface database-level access in redshift connector (#134) * Surface database-level access in redshift example (CXH-1584) The database connect entitlement was always empty: Redshift's svv_database_privileges never emits CONNECT, only TEMP/USAGE/CREATE granted to named principals or PUBLIC. The grant query filtered on CONNECT and the map only handled user/role/group identity types. Rename the entitlement to access (which matches what it actually represents), widen the query to privilege_type IN ('TEMP', 'USAGE', 'CREATE'), and update the three map entries' entitlement_id. Keep immutable: true until per-privilege provisioning is validated end to end. PUBLIC rows are intentionally skipped here; modeling PUBLIC needs a synthetic principal and is tracked as a follow-up. Verified against the local stub: grants now emit database:dev:access:user:alice, database:dev:access:group:analysts, and database:analytics:access:role:editor, with PUBLIC rows skipped. * fix lint: use context-aware sql calls in grant reject test * Dedup redshift database-access grants in example query svv_database_privileges emits one row per (principal, database, privilege_type), so a principal holding TEMP+USAGE+CREATE produced three identical grants (same principal, same `access` entitlement, same database). The c1z store dedups them on write via the unique index on (external_id, sync_id), so the end state was correct, but the connector still spent cycles emitting and serializing the duplicates. Switch the SELECT to DISTINCT on (identity_name, identity_type, database_name) so a principal contributes exactly one row regardless of how many of TEMP/USAGE/CREATE they hold.
CXH-1396: add Amazon Redshift example (#125) * add redshift example and docs * expand multi-db config doc comments * restrict grantable_to to [user] C1 only provisions grants to user grantees, and the existing GRANT/REVOKE queries assume a username (no TO ROLE / TO GROUP keyword). Listing role or group in grantable_to advertised provisioning paths the SQL could not actually execute. Restrict every static_entitlements grantable_to to [user] across role, database, schema, and table entitlements. Grant-discovery blocks still emit role/group principals where the privilege views report them; that is state reporting, not provisioning.
CXP-543 Add support for custom Password Constraints (#128) * feat: support password constraints in RandomPasswordConfig Add a Constraints field to RandomPasswordConfig allowing connector admins to declare character set rules (char_set + min_count) in YAML. When set, these constraints are injected into the LocalCredentialOptions before password generation via proto.Clone, replacing any platform-provided constraints while preserving all other proto fields. Validation rejects empty char_set or non-positive min_count at config load time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add password constraint examples and config_test coverage Add constraints to all example files that use random_password, tailored to each database's password policy. Oracle uses alphanumeric-only constraints (replacing the bogus allowed_chars field) with a comment explaining the restriction. SQL Server includes a comment referencing CHECK_POLICY. Also adds two TestParse cases covering constraint round-trip parsing and the no-constraints default. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: fix validation for negative nums, address lint error * chore: address lint error with explicit value validation * chore: deprecate MaxLength/MinLength and remove from validation and examples Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: ensure only char from the provided charset are used to generate the password * chore: improve var types to avoid multiple casts between numeric types --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Add exclusion group (#126) * use temporary shape for exclusion groups (need to update after sdk and baton-sql changes land); verified that it works for testing for now * WIP: exclusion groups * add annotations for grant replaced * add exclusive * remove not grant to replace * fix example * upgrade baton-sdk * fix compile * fix transaction issues * return err for skipIf invalid cel expression --------- Co-authored-by: Alan Lee <lee.alan.c12@gmail.com>
Fix incorrect next-page offset calculation (#115) pCtx.Offset is already a row offset, not a page number. The previous formula `pCtx.Offset * pageSize + pageSize` treated it as a page index, causing the offset to jump from 200 to 10100 after the second page (with pageSize=100), which broke pagination beyond 200 records. The correct formula is simply `pCtx.Offset + pageSize`. Fixes CXH-1261 Co-authored-by: c1-dev-bot[bot] <2740113+c1-dev-bot[bot]@users.noreply.github.com>
PreviousNext